Zentyal Password Synchronization with Google Apps Education

[ashokjp]

I have configured zentyal and was able to sychronize my user accounts with Google Apps account using GADS (Google apps directory sync tool.

But passwords read from userPassword field just doesnt work.

If i open ldap and manually set the userPassword field, that password gets synced and login works fine. But the password set through zentyal admin page, either doesnt get synced to Google, or is somehow not in the format that google wants.

I searched all over internet, found no solution of successfull password syncing. Some have found soluion but none have posted how they got it. Any help would be deeply appreciated.

[christian]

I remember this topic as already been discussed here (even many times).
did you search this forum ?

[ashokjp]

I am sorry if this is a repost, but I did search forums. I did find few posts, but all were related to issues in syncing user accounts, but none about password. One topic had a post where a member concluded that the password sync is difficult.

I searched many times, even now, unfortunately i couldnt find the posts you are referring to that would resolve my concern.

[ashokjp]

christian ?? any update ?

[christian]

oops, sorry, I was not thinking that you were expecting update from my side 

I don't use Google apps and would never have been comfortable having my company credentials stored Google side so I never investigated such project but only remember that it has been discussed here and there.
I can't really help. Sorry.

However, for what I understood when I quickly looked at this, pwd sync with Google Apps has some restriction based on how pwd is stroed in source LDAP (here Zentyal).
only base-64    SHA-1 and MD5 are supported.
SSHA is not.

What I suspect is that when you change password using command line, you do not specify {SSHA} while I suppose this is how GUI stores it.
But I can't help further than this.
BTW, which Zentyal version are yo running ?

[ashokjp]

As I said, i still cant find the topic you say have been discussed here, as all thats discussed is about how to sync users, and some how to configure google GADS app to sync, none about passwords issue

Google Apps Directory sync has options to read formats - MD5, SHA1, PlainText, and base64.

I tried all these formats, accounts are getting synced, no errors thrown but the password i set through Zentyal just doesnt work.

Am running zentyal latest version.

And correction - I dint try command line password change. I opened ldap connection using root dn and updated password manually to the field userPassword and tried syncing and it worked. Means, it synced and it worked in Google Authentication. So there is no problem in syncing, its somehow have something to do with which format(encryption as well as formation of password) Zentyal stores, and where it stores the password.

[christian]

OK, when I said command line, this is exactly what your LDAP admin application will do, meaning applying "ldapmodify" command.
So you can do it using GUI through whatever application you want or command line, this is at then and from LDAP server standpoint exactly the same 

If you can't find relevant topic here, then it means I was wrong and there is none. Apologies.

Then you just confirmed that my assumption is correct : you are facing limitation due to the way Google Apps expect password to be stored.
So either you ask Google to support other password encryptions schemes or ask Zentyal to also support what Google expects but this aside, I doubt you will ever succeed.

I you where using Zentyal 2.2, you could achieve it as Zentyal stores different password schemes in different attributes.
With 3.0, I don't know but don't think so, at least in std LDAP container. I didn't check the Samba-LDAP one.

What I can however confirm is that both Zentyal 2.2 and 3.0 store at least one password in "userpassword" LDAP attribute.
I can't help further, sorry.
Either wait for Zentyal feedback or from someone having investigated this deeper.

[ashokjp]

Is there any way we can read contents on the userPassword field.

Not necessarily the password, but its encrypted form would be fine.

So i can match the password and see whats the issue

[christian]

you could read it but this will be totally useless.
Reading clear password is not feasible if not stored in clear text or at least in a way you can revert it.
reading encrypted password is useless except if you want to copy/paste content to another directory

BTW, it looks like userpassword in Zentyal 3.0 uses K5KEY scheme 

[ashokjp]

Nop what i meant was if i can figure a way to read the userPassword field. I could just verify formats before sync.

such that, if the field has md5 data, i could encrypt my password manually using md5 and compare hashes. and similar things.

[ashokjp]

I read the field using an LDAP ldif dump. Decrypted using base64 and all i get is {K5KEY} as value for all usernames.

Either i am wrong somewer or the userPassword field in Zentyal 3.0 doesnt have the password at all.

Maybe this is the reason why when i update encrypted password manually in this field, it works in sync

[christian]

- With Zentyal 3.0, userpassword uses K5KEY (I just checked few minutes ago)
- you can read it using ldapsearch command but you LDAP admin console can perhaps do it too.
- I don't understand how this helps. Suppose you can read someone else's userpassword encrypted attribute. So what? Are you trying multiple passwords with same scheme until you get same encrypted string? why not. This is know as brute force attack. You can try but this is very very time consuming if not done with some advanced tool like JTR    Or do you have something else in mind that I don't understand ?

Frankly, to me the answer is pretty clear: for what concerns userpassword attribute, Zentyal and Google apps implementations are not compatible and I don't think there is any easy workaround. (I didn't check however the Samba-LDAP content Zentyal side)

[ashokjp]

I know the password I am setting for the account i am testing, and I dont need bruteforce to find it, what i am trying is to find the field in LDAP which stores that password.

The userPassword field no more has the password or password hash in any form. It as of now simply stores the base64 encoded form of the string "{K5KEY}" which is not the password nor the key. No matter what user sets, it stores the very same data in this field.

I dont understand kerberos, but if someone is there who has successfully synced the password to google, i would like to know from which field he synced and what changes were done.

[christian]

the explanation is here (partially) and yes it assumes Kerberos...
you can also access krb5key valueS from LDAP  but does it make sense as this is a ticket ?

ashokjp: trust me, you will not synchronize userpassword between Zentyal LDAP and Google apps. I understand this is frustrating but Google states this pretty clearly if I remember well.

Your only choice is to give a try to Samba-LDAP (I don't know what it contains) or to downgrade to Zentyal 2.2

[ashokjp]

What i meant is if i can get any of these password forms anywhere in LDAP, i can get it synced to google.

-Password in plaintext
-Password CRYPT hash
-Password MD5 hash
-Password SHA1 hash
-Password base64 hash

if kerberos stores any of these forms anywhere in any field, that would solve my concern